The high-profile cyberattack on Sony that resulted in the film “The Interview” being pulled from theaters adds a new dimension to the threats involved in state-sponsored cyber terrorism: blackmail directed at private companies.
Hackers who had tapped into Sony Picture Entertainment’s computer systems and released information ranging from emails to screenplays threatened to attack theaters that showed the movie, a comedy about the assassination of North Korean leader Kim Jong Un.
The threats against Sony were the first high-profile example of a belligerent government forcing a private business to meet its demands. It could mean extra costs to manage cybersecurity threats for businesses already burdened by the threats posed by data thieves acting for personal gain.
White House spokesman Josh Earnest said Thursday that the administration was treating the incident as a “serious national security matter.” He added that the U.S. would “need a proportional response” to a state-sponsored cyberattack.
Speaking at a public event Thursday, National Economic Council director Jeffrey Zients declined to state the potential economic impact of the incident. “The focus is on what can we do to get ahead of this and protect our networks,” he said.
In particular, he said that it showed the necessity of congressional action on legislation to boost information-sharing about cybersecurity threats between companies and government, as well as liability protections and consumer protections.
Sen. John McCain, R-Ariz., who faulted the Obama administration for failing to develop a strategy to combat cyber terrorism, called on Congress to pass the “long-overdue” cybersecurity legislation.
“By effectively yielding to aggressive acts of cyber terrorism by North Korea,” Sen. John McCain said Thursday, the cancellation of the film “sets a troubling precedent that will only empower and embolden bad actors to use cyber as an offensive weapon even more aggressively in the future.”
But critics of the leading legislation stalled in the Senate argue that it would infringe privacy rights, and that companies already have the tools needed to report and protect against cybercrimes if they are willing to use them.
“Businesses do not need new legislation to tackle these threats,” Electronic Frontier Foundation legislative analyst Mark Jaycox told the Washington Examiner. “What they do need is a more proactive [Department of Homeland Security] reaching out to secure business partnerships and a more proactive IT department sharing threat information with the DHS.”
Jaycox noted that a majority of intrusions are facilitated by mistakes by end-users, such as employees downloading malware or making other basic mistakes. In other high-profile incidents, he noted, such as the late 2013 breach of Target, companies were alerted to problems early on, but failed to respond. “Another step is more vigilant — human — monitoring,” Jaycox said.
This summer, JPMorgan Chase was breached by hackers who stole the information of 76 million households and about seven million small businesses. Although neither the bank nor the Obama administration confirmed who was behind the attack, it was reported that the hackers were working on behalf of the Russian government, perhaps in reprisal for the sanctions placed on Vladimir Putin’s administration by Obama. Hackers working for the Chinese government have targeted U.S. defense contractors.
It’s clear that with or without legislation, cybersecurity costs are set to rise in the U.S.
“There is no one single point where cybersecurity can be guaranteed or secured. It requires ongoing consultation,” said Treasury Secretary Jack Lew Thursday. “The challenge [of cybersecurity] won’t go away. It will evolve.”
A survey of 59 businesses from different industries conducted by the Ponemon Institute found that the cost of cybersecurity ranged from $1.6 million to $61 million, and that the average doubled between 2013 and 2014. Costs can be far higher for some large organizations: JPMorgan CEO Jamie Dimon said in October that the bank would probably double its cybersecurity spending from its current $250 million annual level.
